We will have 2 ZS boxes, call them ZS1 and ZS2, each with ETH00 as internal (lan) side and eth01 as the outside.
ZS1 will have a VPN to ZS2 for lan to lan connectivity. That’s easy, and we have that running.
The catch is on ZS2. It will be replacing a firewall with 2 outside IP addresses. One of the address will be for the VPN to connect to. The other address on the ouside of ZS2 will be used to take smtp, HTTPS, and 3389 traffic to forward into an internal server. We would like people to be able to NAT out to the internet and use the 2nd address on this device.
The firewall in ZS is complete greek to a Windows junkie and a self expressed Linux Noob. (No offense to the actual greek members in the forum…love the gyros!)
So…how does one configure the static entries on the outside addresses to react differently?
To be more exact…let’s say that the outside addresses of ZS2 will be 220.127.116.11 and 18.104.22.168 We’ll have the VPN from ZS1 to connect to 22.214.171.124 and we would like inbound SMTP, inbound https, inbound 3389 to respond on the 126.96.36.199 address and be forwarded to an internal lan ip of lets say 192.168.1.250. Plus…how does one direct internal traffic from users to go out (NAT) and use the 188.8.131.52 address?
Here’s the interesting part….how does one prevent the 184.108.40.206 address HTTPS from interfering with the remote https administration that I would like to have respond on 220.127.116.11
It is not that hard. If you have static IPs on the 2 ZS it is more easy. On the 18.104.22.168 interface of ZS2 add only one static route for the ZS1 WAN interface. On the 22.214.171.124 interface assign the default gateway. On the virtual servers section add the ports to be forwarded on the 126.96.36.199 only! NAT only on the 188.8.131.52 interface, the other one works with the tunnel. Regarding the http administration you may block the interfaces that you don’t want to listen to. There is the https menu on the administration page.